Everything You Know About 'Secure' Passwords Is Wrong

News
By
published

A lot of the advice you've received about passwords over the last 14 years was wrong, says the man who came up with most of it.

A lot of the advice you've received about passwords over the last 14 years was wrong, says the man who came up with most of it.

Bill Burr, formerly of the National Institute of Standards and Technology, now says that his 2003 guide on creating strong, secure passwords could actually make you more vulnerable to hacking.

Credit: designer491/Shutterstock

(Image credit: designer491/Shutterstock)

"Much of what I did I now regret," Burr, now 72 and retired, told the Wall Street Journal in an interview.

The document, "NIST Special Publication 800-63. Appendix A," was an 8-page guide to creating passwords, though the suggestions were easy to guess and ultimately led to lazy security practices. The advice led users to insert obvious special characters in place of letters (like using a dollar sign instead of an "s"), tossing in a few numerals and potentially unexpected capital letters. (The original recommendations are pages 46-54 on this archived document.)

Following this guidance, one might create a password like "P@sswrD1!" that looks complex but is easy to guess, thanks to such common substitutions. Burr also wrote that users should change their passwords every 90 days, but that led user to make only small, incremental changes, like updating to "P@sswrd2!" or something equally easy to guess and lulling users into a false sense of security.

New NIST guidelines by advisor Paul Grasssi did away with Burr's rules completely, including requirements for special characters and changing after a specific mount of time.

You can find our own guide to creating safe, strong passwords here. We recommend using at least 15 characters in your passwords, as stronger computers can crack shorter passcodes quickly, as well as using upper-case and lower-case letters, special characters and numbers. Don't use the same password in two places (especially with the same user name or email address) and store them all in a password manager.

"In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” Burr said. But it's never too late to start with strong security practices.

See more Computing News
TOPICS
Andrew E. Freedman
Andrew E. Freedman

Andrew E. Freedman is an editor at Tom's Hardware focusing on laptops, desktops and gaming as well as keeping up with the latest news. He holds a M.S. in Journalism (Digital Media) from Columbia University. A lover of all things gaming and tech, his previous work has shown up in Kotaku, PCMag, Complex, Tom's Guide and Laptop Mag among others.

More about online security
Elon Musk holding chainsaw at CPAC

Musk's DOGE faces massive backlash and 12 data privacy lawsuits — how safe is your data?
A laptop displaying the Chrome logo

Don't click this — malicious ads impersonating Google Chrome spreading dangerous malware
LEGO Star Wars with Deal Badge

Massive Lego sale is live from $7 at Amazon — 15 deals I'm shopping now
See more latest
3 Comments Comment from the forums
  • PeterKendrick
    Following this guidance, one might create a password like "P@sswrD1!" that looks complex but is easy to guess, thanks to such common substitutions. Burr also wrote that users should change their passwords every 90 days, but that led user to make only small, incremental changes, like updating to "P@sswrd2!" or something equally easy to guess and lulling users into a false sense of security
    .

    Apart from this, "We recommend using at least 15 characters in your passwords, as stronger computers can crack shorter passcodes quickly, as well as using upper-case and lower-case letters, special characters and numbers. Don't use the same password in two places (especially with the same user name or email address) and store them all in a password manager."

    I would recommend everyone to follow DICE technique for setting up a strong password.
    https://archive.org/embed/how-to-make-a-super-secure-password?autoplay=1
    Reply
  • Strider79
    Too bad the one word example's they give on the link (in the 2nd to last paragraph above, if you go to that site) for "iH82wkl8" would be cracked by a computer in 2 hours or less - so not really a great example. I like the "Dice" method mentioned by Peterkendrick. I use a similar method of a phrase ranging from 4 to 7 words of variable lengths (can be 4 to 7 letters) and then jumble up the phrase so it's not a recognizable phrase. For instance "sky high fly you into" would take a ridiculous amount of time (checked on this site (https://howsecureismypassword.net/) takes 41 Quadrillion years) on normal computers to "crack". Whether that's true or not, I don't know for sure, but this is similar to the Dice Method. Not sure websites allow you to just do lower case letters or whatever for the password. They have their own rules of what you "need" to do in order to be safe, and most of the ways would get cracked in no time flat. For instance, they would require you to have minimum 8 letters, one captitalized, one symbol, one number, tc.
    Reply
  • PeterKendrick
    The dice method is indeed effective though tiring to recall and extra steps.
    Reply